![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
isaacschemm) wrote in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
snailsharp2024-11-03 02:24 pm
Pandacap: Part 2 - Authorization
Pandacap: Part 2 - Authorization
Since Pandacap is a single-user application, I really didn't want
to write my own authentication and authorization system. The only
goal was to allow myself to log in, and no one else. So instead of
using an email/password combo, like the default Identity template,
I've limited it to just this:
There's no username or password entry on Pandacap's login page -
just the external account buttons, implemented via OAuth. The
DeviantArt integration is fairly natural - Pandacap can already
crosspost to and recieve notifications from DeviantArt. But what's
the Microsoft button for?
Well, I didn't just remove the standalone login mechanism - I
also took two steps to prevent other users from logging in through
OAuth:
- The DeviantArt login is rejected if the user's DeviantArt account does not match to one that a known user already has set up.
- The Microsoft login is rejected unless the user's Microsoft account has permission to use the application.
Together, this allows me to set up Pandacap with my Microsoft
account, then attach my DeviantArt account, and use either one of
them to log in. The first part of this was pretty simple - just
adding some code to ExternalLogin.cshtml.cs:
if (info.LoginProvider != "Microsoft")
{
var user = await
_userManager.FindByLoginAsync(
info.LoginProvider,
info.ProviderKey);
if (user == null)
{
return
RedirectToPage("./UnrecognizedAccount"); // a custom
error page
}
}
The second part, though, is implemented entirely through Entra
ID. The process is described in
the README, but you can see here that my own account is the
only one with the ability to sign in through the "Pandacap" app
registration:
I've also turned on "assignment required" in the Properties
section.
Once the owner logs into Pandacap with their Microsoft account,
they can then attach their DeviantArt account by clicking "Hello"
in the corner and going to the "external logins" page - all
standard behavior for an ASP.NET Core Identity application.
Essentially, this all means that the only way to create a
Pandacap account is to log in with the owner's Microsoft account,
and that the only way to log into that Pandacap account is with
that Microsoft account or a DeviantArt account that they have
attached.
Other External Accounts
Pandacap talks to more than just DeviantArt, though - it also has
Bluesky and Weasyl support. (This is in addition to ActivityPub
and RSS/Atom, which are built into the app itself.) Both of these
accounts can be configured from the main profile page, in the
bottom section (which only appears once you're logged in):
For Bluesky, Pandacap will ask for a PDS (you can use bsky.social
or the more specific regional server), your DID, and your
password. The password isn't saved permanently (it's used to
acquire an access token, which gets refreshed as necessary) but
the other two are. Also note that Pandacap will allow you to enter
your handle here (e.g. example.bsky.social), but it will
then convert it to a DID, and this is what will be stored and
shown on the homepage.
Weasyl, meanwhile, just asks for your API key, which you can
create at https://www.weasyl.com/control/apikeys.
(By the way, the reason Fur Affinity isn't included is because it
doesn't have an API that would allow authentication, and I didn't
want to build a scraper or rely on someone else's.)